avcodec/movtextdec: Simplify checking for invalid extradata

Every font entry occupies at least three bytes, so checking early whether there is that much data available is a low-effort way to exclude invalid extradata. Doing so leads to an overall simplification. Reviewed-by: Philip Langdale <philipl@overt.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit a42695c072)
2020-10-17 13:13:23 +02:00
parent 59b8634411
commit b4a96efdda
1 changed files with 7 additions and 11 deletions
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -145,14 +145,13 @@ static void mov_text_cleanup_ftab(MovTextContext *m)
 static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
 {
    uint8_t *tx3g_ptr = avctx->extradata;
-    int i, box_size, font_length;
+    int i, font_length, remaining = avctx->extradata_size - BOX_SIZE_INITIAL;
    int8_t v_align, h_align;
    unsigned ftab_entries;
    StyleBox s_default;
    m->ftab_entries = 0;
-    box_size = BOX_SIZE_INITIAL; /* Size till ftab_entries */
+    if (remaining < 0)
    if (avctx->extradata_size < box_size)
        return -1;
    // Display Flags
@@ -220,6 +219,9 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
    ftab_entries = AV_RB16(tx3g_ptr);
    if (!ftab_entries)
        return 0;
    remaining   -= 3 * ftab_entries;
    if (remaining < 0)
        return AVERROR_INVALIDDATA;
    m->ftab = av_calloc(ftab_entries, sizeof(*m->ftab));
    if (!m->ftab)
        return AVERROR(ENOMEM);
@@ -227,18 +229,12 @@ static int mov_text_tx3g(AVCodecContext *avctx, MovTextContext *m)
    tx3g_ptr += 2;
    for (i = 0; i < m->ftab_entries; i++) {
        box_size += 3;
        if (avctx->extradata_size < box_size) {
            mov_text_cleanup_ftab(m);
            return -1;
        }
        m->ftab[i].fontID = AV_RB16(tx3g_ptr);
        tx3g_ptr += 2;
        font_length = *tx3g_ptr++;
-        box_size = box_size + font_length;
+        remaining  -= font_length;
-        if (avctx->extradata_size < box_size) {
+        if (remaining < 0) {
            mov_text_cleanup_ftab(m);
            return -1;
        }